JavaScript analysis

This section describes the basics of how static analysis of JavaScript works, and how the results are presented.

JavaScript analysis results

ADAC performs static analysis of JavaScript source code, therefore the issues found include source-level trace information showing the vulnerable source code. You can view this trace information in the Issue Information tab of the Detail pane.

Highlighted and numbered lines in the code show, step-by-step, from source to sink, how untrusted data that enters the application gets propagated until it is used in an insecure way.

ADAC uses IBM's advanced "string analysis" technology to eliminate false positives and classify issues more accurately.

The principals of string analysis

ADAC applies two stages for analyzing each page: taint (or data flow) analysis and string analysis. In the first, ADAC looks for a trace from source to sink that does not go through a sanitizer. If this is found, ADAC validates it in a second step, using string prefix analysis (SPA), a variant of string analysis.

In certain cases, where the source is a URL, or part of it, a trace is only exploitable when the host and path parts of the URL can be controlled by an attacker at the point of the sink. SPA validates these cases by tracking the string operations that manipulate the source URL. SPA assumes that the host and path of the URL are not controlled by the attacker, while the query and/or anchor part are:

The section before the question mark is not controlled; the section after it is controlled.

At the point of the sink, SPA checks whether the host and path parts of the URL can be controlled by an attacker. If it is determined that the host and path parts are both fixed and not controlled by an attacker, the issue is eliminated.

If the redirect target begins with the prefix javascript: or mailto: the issue is classified more accurately as "DOM Based Cross-Site Scripting" or "DOM Based Email Spoofing" respectively.